Re: Can't build FIPS capable OpenSSL

Wed, 07 Nov 2007 00:11:51 -0800 

I can't even build openssl-fips.1.1.1 if the "shared" option is
specified.  I had to remove it as you (Bill) did for the openssl-0.9.7m.
My build host is an oldish Debian (Woody) PowerPC box.
  $ uname -a
  Linux larabee 2.4.25-powerpc #1 mer avr 14 15:38:38 CEST 2004 ppc unknown

Why does "shared" cause things to barf?
It seems the build system does not append the -lcrypto to find the
necessary library functions.  Is this a bug ???

But as I have just read, it seems the Security Policy mandates only the
"fips" option be supplied to be FIPS140 compliant.

What about directory directives, such as --prefix, --openssldir,
--install_prefix ???
Having built without the shared option, I notice that only static libraries are created. But we have applications that have previously linked with shared libraries. 
Are shared libraries supposed to be generated for a fips build?
I could build without the fips parameter, but I need one of the RSA Key Gen functions (RSA_X931_generate_keys()) that is encapsulated in a #ifdef OPENSSL_FIPS statement.
I guess one solution maybe to use "shared" but not "fips" and supply "-DOPENSSL_FIPS". 
Would that work ???

Suggestions welcome :)

Cheers, Brendan.


Bill Colvin wrote:

Sorry for previous post.  All worked fine with the shared term removed
from the config line using openssl-0.9.7m.


Steps I used are as follows:

cd /usr/src
tar -xvf openssl-fips-1.1.1.tar.gz
cd openssl-fips-1.1.1
./config fips
make
make install
cd ..
rm -rf openssl-fips-1.1.1

tar -xvf openssl-0.9.7m.tar.gz
cd openssl-0.9.7m
./config fips --openssldir=/etc/ssl --prefix=/usr zlib-dynamic \
    no-idea no-mdc2 no-rc5
make depend
make MANDIR=/usr/share/man
make MANDIR=/usr/share/man install


Bill
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to